Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Think like an Attacker to Protect against Data Breach
WHOAMI /groupsWhere I work:
Husband / Red Teamer / Marine Corps Veteran
Twitter:
@RedVuln
Name:
Matt Batten
How to:
Think Like an Attacker to Protect against Data Breach
What about
MisconfigurationsUnpatched systems
Using default account credentials (i.e., usernames and passwords)
Unprotected files and directories
Unused web pages
Poorly configured network devices
https://resources.infosecinstitute.com/guide-preventing-common-security-misconfigurations/#gref
Old But New08/26/2019 | Matt
An unquoted Environment Variable path in a Scheduled Task that
runs as system
Unquoted paths are abused frequently on engagements. Normally an attacker would see an
unquoted service path, not an unquoted schedule task path. What makes this unique is that it
is an environment variable that has a space in it that allows for an attacker to abuse it. The key
is, if the path is unquoted then Windows sees the space character in the path as a delimiter and
will then search for program.exe instead of knowing to go to C:\Program Files\. I was surprised
that an up to date Windows 10 machine would still have a vulnerability like this.
The scheduled task shell-usoscan is present and active on a default install of Windows 10
and uses the environment variable %programfiles% with a path that is unquoted.
Example:
08/26/2019: Submitted to MSRC
09/03/2019: Initial response from MSRC:
MSRC closed the case and asked how it was a MITM or social engineering attack
09/10/2019: Reached back out to ask MSRC because their response didn’t make sense;
informed MSRC of my intent to publish findings.
09/10/2019: MSRC reopened the ticket
09/10/2019: MSRC final response:
Will be a next version fix
This is the link provided by Microsoft as a point of reference:
https://blogs.msdn.microsoft.com/aaron_margosis/2014/11/14/it-rather-involved-being-on-the-
other-side-of-this-airtight-hatchway-unquoted-service-paths/
The reference sent by Microsoft refers to vendors having misconfigured services. This is a
Microsoft owned Scheduled Task.
Am I vulnerable?YES!
You are always vulnerable.
That is why Defense in-depth is important.
There are 0-days that no one knows publicly.
Your network is most likely vulnerable without a 0-day exploit.
Every time you download a third-party application you open yourself up even more.
Most common things I have seen
OSINT
Fun word red teamers throw around
What are Red teamers doing?
Passwords and usernames in public
filetype:doc password "walmart“
Google Dorking
Enumerating subdomains
Public facing without muti-factor authentication
Why multi-factor authentication is important
Security Questions
Physical
Apps
Text
Employee’s personal account gets “hacked”
Why and how does this affect you?
Educate users on how to prevent their
accounts from being compromised,
and how to recognize if they already
are.
Who cares?Only you!
If someone’s account gets taken over local law
enforcement most likely will not be able to
help due to lack of resources.
There are options, but most are not likely to
care unless it involves money over 10k, if you
are a political figure, or if enough people report
the same issue in a short amount of time.
Port Security
Does port security really help?
Such as Sticky Macs.
Issues I have seen while testing this.
Scanning Methodology
Responder
LLMNR and NBT-NS Spoofing Attack is an easy way, even today, to harvest credentials and laterally move based off of normal network traffic.
A powerful pentest utility included in Responder's tools
folder giving you the ability to perform targeted
NTLMv1 and NTLMv2 relay on a selected target.
Currently MultiRelay relays HTTP, WebDav, Proxy, and
SMB authentications to an SMB server.
This tool can be customized to accept a range of users to
relay to a target. The concept behind this is to only
target domain Administrators, local Administrators, or
privileged accounts.
(http://g-laurent.blogspot.com/2016/10/introducing-
responder-multirelay-10.html)
Multi-Relay
SMB signing not on
(I know you can’t
turn it on)
Compatibility Issues.
Every penetration test you will get the same feedback
(turn smb signing on).
Too bad you are still running that windows 2003
server.
Ways to stop Responder and pass the hash (PTH)
Honestly, it is hard.
Disable LLMNR and NBT-NS
Create an entry for WPAD
GPO for SMB signing and
NTLMv2
Ensure that an account an
attacker gets to is not an admin
(Only use secure workstations as
an admin).
Why are some systems not restarted for years?
What is LSASS?
Local Security Authority Subsystem Service (LSASS), is a process in Microsoft
Windows operating systems that is responsible for enforcing the security policy
on the system. It verifies users logging on to a Windows computer or server,
handles password changes, and creates access tokens. It also writes to the
Windows Security Log.
(https://www.anvir.com/local-security-authority-subsystem-service-lsassexe.htm)
Every user who has logged into that box since the last time it was restarted an
attacker can get their password.
dsquery
SIEM
Very powerful instrument in the right hands.
Alarms and rules must be properly set.
Turnover rate of analyst makes it harder.
Need a baseline (high turnover rate = no
understanding of baseline).
Ticket ManagementTeam gets an alarm.
Looks up what alarm is and sees that another analyst handles it by
adding it to additional comments.
So then the analyst who sees the alarm now then adds it to
additional comments and saves without looking at SIEM.
See any issues with this?
________________________________________________________________
Security Analyst need to be trained.
Do not get complacent.
Playbooks and Runbooks need to be a thing.
If you enjoyed this
talk and would
like to know more
If you have any questions or just interested in talking feel free
to message me on Twitter. (Walk up to me while I am here)
Twitter: @RedVuln
Name: Matt Batten